Former Methodist employees plead guilty to HIPAA violations

There’s an update to a case announced in November 2022 in which five former Methodist Hospital employees in Memphis Tennessee were charged with criminal violations of HIPAA. According to the indictment, between November 2017 and December 2020, the five were charged with conspiring with Roderick Harvey to unlawfully disclose patient information in violation HIPAA. Harvey paid Kirby Dandridge, Sylvia Taylor, Kara Thompson, Melanie Russell, and Adrianna Taber to provide him with names and phone numbers of Methodist patients who had been involved in motor vehicle accidents. Harvey then sold the information to third parties that included personal injury attorneys and chiropractors. The six have now pleaded guilty. Action News 5 reports that Harvey appeared before United States District Judge Thomas L. Parker on April 21 and pleaded guilty to conspiring with Dandridge, Taylor, Taber, Thompson, and Russell to violate HIPAA. He faces a maximum penalty of five years’ imprisonment, a fine of $250,000, and three years of supervised release. His sentencing is set for August 1. Dandridge, Taylor, Taber, Thompson, and Russell previously entered guilty pleas to disclosing the information to Harvey in violation of HIPAA. Each of those violations carries a maximum penalty of one year of imprisonment, a $50,000 fine, and one year of supervised release. Dandridge is scheduled to be sentenced today. The others will be sentenced on different dates in May and June. Action News 5 has the dates. Is This the Methodist Le Bonheur Case? In May 2022, Methodist Le Bonheur notified HHS that 1,370 patients had been affected by a breach involving “Unauthorized Access/Disclosure” of protected health information on a desktop computer. HHS’s investigation of that report is still open. On March 24, 2023, the hospital issued a Substitute Notice of a Past Data Breach that appears to be related to the case: Substitute Notice of Past Data Breach On February 1, 2018, Methodist received information of instances of patients who had been treated in emergency rooms after motor vehicle accidents allegedly being contacted shortly thereafter by an external party who was offering them appointments to follow-up with an injury clinic and an attorney in order to pursue legal action for their accident. Methodist promptly began an internal investigation and alerted the appropriate state and federal law enforcement authorities. Law enforcement requested that Methodist delay notifications to patients so as not to impede their investigation. Throughout, we worked collaboratively with law enforcement and implemented targeted monitoring for this type of activity based on the information we were provided by law enforcement. Beginning in April 2022, after the law enforcement delay was lifted, we began notifying impacted patients as their contact information was identified as having been potentially shared inappropriately. Methodist has been advised by law enforcement authorities that they have not found evidence that patient information other than contact information was disclosed. Federal authorities confirmed that no financial information was disclosed. Out of an abundance of caution (as part of their routine financial practices), individuals are always advised to remain vigilant and closely monitor financial accounts and credit reports for inaccurate information and to report any unusual activity to law enforcement. For more information, potentially affected individuals can call toll free 1-800-298-2295 between the hours of 8am – 5 pm ET (Monday through Friday – except holidays). (Calls may go to voice mail but will be returned as soon as possible.) DataBreaches did not find any indication that the hospital was ever sued civilly by patients over this breach.